Development in computer and Internet technologies has ever-increasing impact on human society and our way of life. Personal computers, laptops, tablets, smart phones and other communication devices provide instant access to information anywhere in the world. E-mail, instant messaging, IP telephony and social networks allow people to communicate and share information with each other. However, this growth in computer and communication technologies has fueled the emergence and spread of computer malware, such as viruses, worms, Trojans, etc., which are used by cybercriminals for various malicious purposes.
Typical malicious activities can range from banal hooliganism to serious cybercrimes, such as stealing of financial assets from bank accounts, and even cyber terrorism against nations. Also, cybercriminals constantly develop new methods for deploying malware on computer systems. For example, cybercriminals actively use fresh vulnerabilities and make use of social engineering approaches, which, due to the development of social networks and other communication tools, have become especially popular among virus writers. Cybercriminals also constantly search for new ways to circumvent security and antivirus application.
The majority of executable files under study at the present time, also including malicious ones, are so-called PE files (Portable Executable) and have the PE format (for the Windows® family of operating systems, under which most malware is written). In order that an antivirus application does not detect a malicious executable file during antivirus scan, virus writers employ special applications—packers and cryptors—which allow the code of a malware executable file to be compressed, encrypted, and otherwise modified, in an attempt to thwart detection of the malware by antivirus applications.
A packer is a program that reduces the size of an executable file using compression. Particularly, during packing of a file, a compressed copy of the original file and an unpacking program are written into a compressed file. After the compressed file is launched on a user's computer, the unpacker extracts the original program code from the archive to system memory and transfers control to the unpacked program code. Many unpackers launch the file and create an unpacked version of the file from the image loaded in the system memory. However, if the file contained a virus, the user's computer could get infected. In addition, unpackers have a number of different ways of preventing the detection of malicious code by an antivirus application, for example, by only partially unpacking the code when file is launched.
A cryptor is a program that encrypts executable files to hide their functionality from antivirus scanning engines, such as heuristic and signature analyzers. By means of a cryptor, for instance, an original program file is encrypted and code is written into its header, which, upon launch, performs the decryption and executes the decrypted program. The simplest example is the spread of viruses or Trojan-horse applications in encrypted and password-protected archives, which cannot be detected by antivirus programs.
Packed and/or encrypted malware is hard to detect using conventional detection techniques. Therefore, mechanisms for detecting packed/encrypted malware are necessary.